You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Terraform module to configure GitHub Actions with AWS Identity Provider Open ID Connect (ODIC.)
This allows GitHub Actions to authenticate against AWS without using any long-lived keys.
This module provisions the necessary role and permissions as defined in the
official GitHub docs.
Multiple repo configuration
This module allows you to create roles for lists of repos(subjects) and policies in the AWS account.
Curently it only supports policies in the same account as the role being created.
This is helpful for non-mono repo style groups as well as for large organizations where teams have separate repo ownership for the same AWS account.
Debugging features
The assume_role_names input allows you to assume the OIDC role and act as if you were the GitHub Actions pipeline.
This is very useful for debugging while you're getting things setup.
Note: we recommend removing this once your production ready so that all further changes are only applied via the pipeline.
Example GitHub Action
jobs:
apply-terraform-main:
runs-on: ubuntu-latestpermissions:
id-token: writecontents: readsteps:
- uses: actions/checkout@v2
- name: Configure AWS credentialsuses: aws-actions/configure-aws-credentials@v1with:
role-to-assume: arn:aws:iam::{account_id}:role/ci/GithubCI-OIDC-TFaws-region: us-west-2role-duration-seconds: 1200#can be up to the max set in the terraform module, defaults to 15 min
Maximum session duration in seconds. - by default assume role will be 15 minutes - when calling from actions you'll need to increase up to the maximum allowed hwere
role name to repos and policies mapping. role name as the key and object value for repo subjects ie "repo:organization/infrastructure:ref:refs/heads/main" as well as a list of policy arns ie ["Administrator"] and list of roles that can assume the new role for debugging